Is it possible to have a successful data breach? The term sounds like an oxymoron and may make us cringe, but it reflects the simple fact that we’re doing business in an age when attempts to hack into our systems have become inevitable. It’s no longer a question of if we’ll be the next Target, Home Depot or JPMorgan Chase. It’s only a matter of when it happens and, more importantly, how you respond.
Your company likely has a plan for every natural disaster that could potentially occur, no matter how unlikely. There are emergency exits in case of fire, designated shelter areas in case of tornados and, unfortunately, training programs to prepare employees to respond to an active shooter. Do you have a plan to prepare for a data breach? If so, when was the last time you tested it?
More companies are hosting cybersecurity drills or partnering with others in their industry to launch a series of exercises. A dozen healthcare organizations collaborated to host a two-day simulated cyber-attack earlier this year, summarizing their findings in an industry report. But if your company is hosting a cybersecurity drill on a smaller scale, what should it involve?
At the time of this interview, Megan Hertzler, CIPP/US, was the director of information governance at Xcel Energy, a utility provider serving eight states in the West and Midwest, which has been hosting its own drills for the past two years. In this interview, Hertzler shares her best practices for hosting a cybersecurity drill.
Test Timing
Your company’s ability to respond to a data breach in a timely manner is essential. Although there are few legal requirements to notify customers within a specific time frame, the public, regulators and the media have all come to expect a more immediate disclosure of a data breach, Hertzler said.
Perception is everything, and the longer a company waits to notify the public, the more the public’s trust erodes. The timely announcement of a data breach also allows customers to be more proactive in protecting themselves, minimizing the potential for harm.
To speed up your response, be sure you have all strategic communications drafted, preapproved and ready to launch as soon as a breach can be confirmed. That includes having a microsite or landing page to explain what happened, how your company is addressing it and what customers should do in the meantime.
Once you have these elements in place, put your preparations to the test.
Test Your Call Centers
When Target experienced its data breach late last year, it was initially criticized when its call centers became quickly overwhelmed, leading to long wait times and dropped calls.
Taking a cue from Target’s experience, Xcel Energy had discussions with its customer service organizations to determine what call volume they could handle before becoming overwhelmed and who they would contact for backup support.
Hertzler said it’s essential to identify and preapprove additional third-party resources such as call centers and to recognize that you won’t have any power to negotiate with them in a crisis. These additional expenses can add up quickly. It is worth the effort to identify what resources you may need, put a contract in place and discuss with your underwriter whether such services would be covered by your current insurance coverage. If your general liability insurance policy isn’t sufficient, consider whether to obtain cyber insurance.
Look for Gaps
Xcel Energy hosts a series of drills to put every element of its plan to the test. Those drills range from tabletop exercises to full-on role-playing scenarios that involved participants from across the entire company.
“Role-playing is great because it quickly shows you where the gaps are,” Hertzler said. “If you call a specific person that is needed in that particular moment and you get their out-of-office message ... now all of a sudden you hit the wall. You realize that your plan needs to account for when a key person is unavailable; it’s got to identify who is the next person to call.”
Take note of anything that doesn’t go as planned during your drill, and make sure you take the time to address it before your next planned drill. This will allow you to further refine and validate your processes as you continue to plan and drill.
Drilling your employees on cybersecurity issues may sound intimidating, but it’s the only way to evaluate how effective your ultimate response will be and to make adjustments while you still have the luxury of time. With a few run-throughs, your business areas and leaders will become more confident in their roles and comfortable with the actions necessary to mitigate the potential harm to your customers and your brand. This planning also ensures that when your security is compromised, they remain calm and act quickly.
For more best practices from Hertzler and other cybersecurity and compliance professionals, download our free guide, Cybersecurity: 4 Best Practices From the Pros.